Port Channel Design for PA Firewalls

This project was to help ensure the VPN’s had enough bandwidth during company meetings. This was at the height of COVID when we were stretching our resources in our data center.

I first mapped out the topology changes and then followed up with the change request.

Proposed Cabling:

Palo Alto Proposed Changes:

  1. Create Aggregate Group
  1. Add Interfaces e1/19 and 1/20
  1. Ensure changes have synced with passive device, IDC001-PA02.

Core Switch Proposed Changes:

  1. Create Port Channels 213 and 214.

interface Port-channel213

 description  PortChannel to <FirewallA>

 no switchport

 no ip address

 no platform qos channel-consistency

 switch virtual link 1

end

interface Port-channel214

 description PortChannel to <FirewallB>

 no switchport

 no ip address

 no platform qos channel-consistency

 switch virtual link 2

End

  1. Apply interfaces to port channels 213.

interface GigabitEthernet1/2/36

 description PortChannel to <FirewallA>

 no switchport

 no ip address

 no cdp enable

 channel-group 213 mode on

end

interface GigabitEthernet1/2/37

 description PortChannel to <FirewallA>

 no switchport

 no ip address

 no cdp enable

 channel-group 213 mode on

End

  1. Apply interfaces to port channel 214

interface GigabitEthernet2/2/36

 description PortChannel to <FirewallB>

 no switchport

 no ip address

 no cdp enable

 channel-group 214 mode on

end

interface GigabitEthernet2/2/37

 description PortChannel to <FirewallB>

 no switchport

 no ip address

 no cdp enable

 channel-group 214 mode on

End

  1. Verify changes by monitoring traffic for the aggregate and ensuring ports are ‘up/up’ from PA001 and PA002.

Leave a Reply